Charts: [docker-registry] add authentication support

I made a pull request (#3303)

Hi @Adriien-M
I'm trying to use this feature, I created htpasswd and stored it as a secret.
Now in my values I have the name of the secret listed:

secrets:
  haSharedSecret: ""
  htpasswd: registry-htpasswd

My error is:
time="2018-02-13T05:15:09Z" level=warning msg="error authorizing context: htpasswd: invalid entry at line 1: \"registry-htpasswd\""

Can the steps to implement this just be cleared up a bit in the docs?
Thanks!

I think I worked this out with the value htpasswd being the actual content of the htpasswd file eg:

htpasswd: "user:<passwordHash>"

Does that mean only one user can be specified?

I don't know if it's possible to specify several users in docker registry.
However, in this chart, you have to specify the entire htpasswd file generated by this command (form the docker documetiation)

docker run \
  --entrypoint htpasswd \
  registry:2 -Bbn testuser testpassword > auth/htpasswd

Sorry if I sound dumb, it might be helm ignorance, but I am specifying the path to the file and helm will draw it in during deploy?

No, specify the file path will not work, you have to specify directly the file content generated by the previous command

Ok, I did that and the chart did not push it through. I looked at the secret generated, and htpasswd was missing.

service:
type: "NodePort"
secrets:
htpasswd: "deployuser:PASS"

apiVersion: v1
data:
haSharedSecret: N1pMMnBQNVNvMDltWGZsSQ==
kind: Secret
metadata:

And it leaves the registry still wide open with no password.

Also, if you turn on TLS, it breaks as well:

Warning Unhealthy 1m (x5 over 1m) kubelet, ut-kub8 Liveness probe failed: Get https://10.244.3.62:5000/: http: server gave HTTP response to HTTPS client

FYI, its filled with errors:

time="2018-03-13T21:02:21Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_DOCKER_REGISTRY_PORT"

Did some more work. I think it is having an issue with the fact I can't activate SSL. With those environment variables broken and unable to modify the docker container into an SSL setup, it's blocking htpasswd. If I read it correctly, htpasswd won't work without SSL active.

If you terminate SSL on your Ingress you can leave it turned off in the Pod.

Doesn't matter if I can't get htpasswd to work, and at this phase something seems broken. shrug. It won't pass htpasswd into the secret, and something isn't configuring correctly to use the secret, as even if I edit the secret directly and put the base64 version of the htpasswd into the data line, the registry still fails to force authentication. So to me, this feature is currently broke unless I am missing something.

Well.... FYI, the OSX/Mac version of Helm does not work. The version of Helm I have on other machines does...... That's scary.

JMS

I also had some troubles with htpasswd. First generate a htpasswd file :

docker run --entrypoint htpasswd registry:2 -Bbn user password > ./htpasswd.

Then put the content of your htpasswd file in your values template, following this format:

secrets:
  haSharedSecret: ""
  htpasswd: |-
      user:<your password hash>

That's it !

And if you want to turn on TLS on your pod (by giving a secret to tlsSecretName in your values template), you will have to use this ingress annotation to pass TLS through Nginx :

nginx.ingress.kubernetes.io/secure-backends: "true"

Also, SSL certs are broken in the current chart version, so it started to work well only after applying manually these fixes.

Hope this will help !

I also can't get the htpasswd to work. I've followed the documentation, and also tried what @yaumeg suggested but I'm not getting prompted for user:pass, leaving the registry wide open.

I have the same problem. Now, it's working ok after I update secret. like this:
1, create the htpasswd
docker run --entrypoint htpasswd registry:2 -Bbn leo leo123 > ./htpasswd
leo:$2y$05$jp6al.Ijhkf9HszNYGrINuC4Ho5Oc.n4XNDQuH8wuuxP9Ih4NCZ0.
2, base64 the by yourself
echo 'linker:$2y$05$E3GRhAAErtP9qJ6TrZIEbeGIOtDcHq69MvIzB2pLKWvPr3hcrhEZa'|base64
bGVvOiQyeSQwNSRqcDZhbC5JamhrZjlIc3pOWUdySU51QzRIbzVPYy5uNFhORFF1SDh3dXV4UDlJ
aDROQ1owLgo=
3, edit secret
kubectl edit secret cranky-molly-docker-registry-secret

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

This issue is being automatically closed due to inactivity.

I also had some troubles with htpasswd. First generate a htpasswd file :

docker run --entrypoint htpasswd registry:2 -Bbn user password > ./htpasswd.

Then put the content of your htpasswd file in your values template, following this format:

secrets:
  haSharedSecret: ""
  htpasswd: |-
      user:<your password hash>

That's it !

And if you want to turn on TLS on your pod (by giving a secret to tlsSecretName in your values template), you will have to use this ingress annotation to pass TLS through Nginx :

nginx.ingress.kubernetes.io/secure-backends: "true"

Also, SSL certs are broken in the current chart version, so it started to work well only after applying manually these fixes.

Hope this will help !

On how to enable SSL:

Hi @yaumeg how do we provide information about tls certificate?

I do see this in values.yaml

# Set this to name of secret for tls certs
# tlsSecretName: registry.docker.example.com

I have self signed certificate. (MyCertificate.crt and MyCertificate.key). I am not sure what to put for tlsSecretName in values.yaml. Need help in this.